Documentation
¶
Overview ¶
Package hcvault provides integration with the HashiCorp Vault.
Example ¶
package main
import (
"crypto/tls"
"log"
"github.com/tink-crypto/tink-go-hcvault/v2/integration/hcvault"
"github.com/tink-crypto/tink-go/v2/aead"
)
func main() {
// Use a key with key derivation enabled (with "derived=true") if you use a non-empty
// associated_data.
const keyURI = "hcvault://hcvault.corp.com:8200/transit/keys/key-1"
vaultClient, err := hcvault.NewClient(keyURI, tlsConfig(), vaultToken())
if err != nil {
log.Fatal(err)
}
kekAEAD, err := vaultClient.GetAEAD(keyURI)
if err != nil {
log.Fatal(err)
}
dekTemplate := aead.AES128CTRHMACSHA256KeyTemplate()
a := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD)
if err != nil {
log.Fatal(err)
}
if err != nil {
log.Fatal(err)
}
plaintext := []byte("plaintext")
associatedData := []byte("associatedData")
ciphertext, err := a.Encrypt(plaintext, associatedData)
if err != nil {
log.Fatal(err)
}
_, err = a.Decrypt(ciphertext, associatedData)
if err != nil {
log.Fatal(err)
}
}
func tlsConfig() *tls.Config {
// Return a TLS configuration used to communicate with Vault server via HTTPS.
return nil
}
func vaultToken() string {
return "" // Your Vault token.
}
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewAEAD ¶ added in v2.1.0
NewAEAD returns a new remote AEAD primitive for a HashiCorp Vault service.
func NewClient ¶
NewClient returns a new client to HashiCorp Vault. uriPrefix parameter is a valid URI which must have "hcvault" scheme and vault server address and port. Specific key URIs will be matched against this prefix to determine if the client supports the key or not. tlsCfg represents tls.Config which will be used to communicate with Vault server via HTTPS protocol. If not specified a default tls.Config{} will be used.
Types ¶
type AEADOption ¶ added in v2.1.0
type AEADOption interface {
// contains filtered or unexported methods
}
AEADOption is an interface for defining options that are passed to NewAEAD.
func WithLegacyContextParamater ¶ added in v2.1.0
func WithLegacyContextParamater() AEADOption
WithLegacyContextParamater lets the remote AEAD populate the "context" parameter in encrypt and decrypt requests instead of the "associated_data".
Using this option makes the AEAD compatible with the instance returned by GetAEAD from the KMSClient returned by NewClient. For new keys, this option should not be used.
## Warning
Vault only uses the "context" parameter for keys which have derivation enabled (with "derived=true") and ignores it otherwise. For such keys, the "context" parameter is required to be non-empty.
Therefore: - for keys with "derived=false", you should only use empty associated data. - for keys with "derived=true", you should only use non-empty associated data.
With Tink's "KMS envelope AEAD", always use a key with "derived=false".
For reference, see https://developer.hashicorp.com/vault/api-docs/secret/transit.
Source Files